0/100

low Risk

west.craft309.com

https://west.craft309.com/

104.18.18.107 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

3504 days

HTTP

200 · 53.6s

SSL

Valid· E7, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "west.craft309.com"

Save

Domain Intelligence: craft309.com

Scanned 2 times since May 26, 2026, 12:46 PM UTC

ℹ Low (25)

Registered-domain escalation

Submit craft309.com as the primary IOC, enriched with evidence from hostile subdomains like west.craft309.com.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

craft309

Unknown

technology | finance | ecommerce | other · 6/3/2026

Summary

The page is hosted on west.craft309.com but loads resources from off-domain endpoints (mama.atarhaber.com) and an off.php script, suggesting the page may be cloaking or loading external assets. The HTML indicates a SPA with dynamic credential capture potential, but static HTML contains no forms. Visual evidence from the screenshot shows a fake advertising UI and a bottom navigation bar, not a legitimate brand login page. Although no concrete credential form is observed in static HTML, the off-domain script and suspicious asset patterns imply possible credential harvesting via a cloaked SPA. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Analyst note: this target may cloak content or block scanners.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Off-domain submission or API endpoints observed: https://cdn3d.iconscout.com/3d/free/thumb/free-telegram-3d-icon-png-download-7516821.png.

▸Distinctive asset clues: off.php, lucide-vendor-DPu0CPbz.js, index-BsPf_94V.css, css2, win-3d-icon-png-download-10648812.png, fortune-wheel-3d-icon-png-download-8796479.png.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 21

Hosts: 7

Domains: 7

Suspicious Endpoints

hxxps://cdn3d[.]iconscout[.]com/3d/free/thumb/free-telegram-3d-icon-png-download-7516821.png

Off-Domain Posts

hxxps://cdn3d[.]iconscout[.]com/3d/free/thumb/free-telegram-3d-icon-png-download-7516821.png

Observed Signals (1)

SPA hosting with dynamic credential capture potential (JS-rendered forms).

Observed Indicators (1)

▸SPA-style page with 0 static forms but likely dynamic credential capture via JavaScript

Risk AssessmentUsed in abuse reports

The page uses off-domain JS and assets to present a suspicious UI, with no static login form but potential for dynamic credential capture. The combination of cloaking indicators (off-domain script, suspicious image assets, SPA rendering) and a banner-heavy, non-brand-consistent interface suggests possible credential harvesting or cloaked phishing behavior. Recommend monitoring and further investigation; not a definitive confirmed phishing without observed credential submission. The presence of external endpoints and cloaked content raises risk significance for abuse reporting. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Analyst note: this target may cloak content or block scanners.).

Recommended Action

Monitor

Cross-Reference8

URL Intelligence